Vulnerability Description
Multiple directory traversal vulnerabilities in SeedDMS (formerly LetoDMS and MyDMS) before 4.3.4 allow (1) remote authenticated users with access to the LogManagement functionality to read arbitrary files via a .. (dot dot) in the logname parameter to out/out.LogManagement.php or (2) remote attackers to write to arbitrary files via a .. (dot dot) in the fileId parameter to op/op.AddFile2.php. NOTE: vector 2 can be leveraged to execute arbitrary code by using CVE-2014-2278.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Seeddms | Seeddms | <= 4.3.3 |
Related Weaknesses (CWE)
References
- http://archives.neohapsis.com/archives/bugtraq/2014-03/0101.html
- http://osvdb.org/show/osvdb/104466
- http://packetstormsecurity.com/files/125726
- http://sourceforge.net/p/seeddms/code/ci/master/tree/CHANGELOGVendor Advisory
- http://www.securityfocus.com/bid/66256
- https://exchange.xforce.ibmcloud.com/vulnerabilities/91831
- http://archives.neohapsis.com/archives/bugtraq/2014-03/0101.html
- http://osvdb.org/show/osvdb/104466
- http://packetstormsecurity.com/files/125726
- http://sourceforge.net/p/seeddms/code/ci/master/tree/CHANGELOGVendor Advisory
- http://www.securityfocus.com/bid/66256
- https://exchange.xforce.ibmcloud.com/vulnerabilities/91831
FAQ
What is CVE-2014-2279?
CVE-2014-2279 is a vulnerability with a CVSS score of 6.4 (MEDIUM). Multiple directory traversal vulnerabilities in SeedDMS (formerly LetoDMS and MyDMS) before 4.3.4 allow (1) remote authenticated users with access to the LogManagement functionality to read arbitrary ...
How severe is CVE-2014-2279?
CVE-2014-2279 has been rated MEDIUM with a CVSS base score of 6.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2014-2279?
Check the references section above for vendor advisories and patch information. Affected products include: Seeddms Seeddms.